[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8D8863BB65A02F47A303E5B7666126710152EEF0@exmb1.zonelabs.com>
Date: Tue, 22 Jun 2004 18:01:00 -0700
From: "Zone Labs Product Security" <Product-Security@...elabs.com>
To: <bugtraq@...urityfocus.com>
Subject: Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZoneAlarm Pro, Security Suite and Integrity products which employ
Mobile Code Protection/ID Lock features do not inspect encrypted
traffic. If mobile code is downloaded via a Secure Sockets Layer
(SSL) session, it will not be inspected by these products. This is
by design and mandated by the SSL Protocol specification.
The intended purpose of SSL is to "provide privacy and reliability
between two communicating applications [1]." Computer users have the
expectation their SSL encrypted session will be encrypted end-to-end
between the server and client application (in this case, the Web
Browser).
As stated in the SSL Protocol Version 3.0:
For SSL to be able to provide a secure connection, both the client
and server systems, keys, and applications must be secure [1].
As such, Zone Labs products do not attempt to intercept, decrypt,
proxy,
or otherwise interfere with the SSL transaction. For our product --
or
any other application -- to behave otherwise would violate the intent
and
design of the SSL specification and could potentially expose and/or
risk the confidentiality of the data transmitted in the SSL
transaction.
A clarification of this common program limitation will be made
in the product help files and program interface.
Zone Labs encourages anyone with concerns about the security of our
products or services to contact us at security@...elabs.com.
[1] http://wp.netscape.com/eng/ssl3/draft302.txt
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQA/AwUBQNjWClDxXw2Is3mLEQJXvACg7qHHdJQ3O36pSypxv+BEnj8K1vEAoKc7
WrvhXTtn75BZ3mu6XRzAWOqY
=fXFJ
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists